A cross-site scripting vulnerability in the oracle_query parameter of the asktheoracle.php page was brought to our attention by Mohd Izhar Bin Ali. We thank then for giving us the chance to fix this issue before releasing information into the public. More details about the vulnerabilities can be found in this security advisory.
Affected Stable Versions:
Stable branch up to v3.6.0 (inclusive)
Fix:
Update to 3.6.1 or higher (if available).
Cross Site Scripting
Short Description:
A cross-site scripting vulnerability existed in the asktheoracle.php page. An attacker could use it to execute arbitrary HTML and Script code by using the oracle_query parameter.
Potential Impact:
An attacker could use prepared links to include and run scripts within the context of LogAnalyzer on the users browser.
Credits:
We want to thank Mohd Izhar Bin Ali for identifying these issues and working with us in resolving it. More details can be found in their advisory.